"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "lib/base/tlsutility.cpp" between
icinga2-2.11.5.tar.gz and icinga2-2.12.0.tar.gz

About: Icinga 2 is an enterprise grade monitoring system which keeps watch over networks and any conceivable network resource.

tlsutility.cpp  (icinga2-2.11.5):tlsutility.cpp  (icinga2-2.12.0)
/* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */ /* Icinga 2 | (c) 2012 Icinga GmbH | GPLv2+ */
#include "base/tlsutility.hpp" #include "base/tlsutility.hpp"
#include "base/convert.hpp" #include "base/convert.hpp"
#include "base/logger.hpp" #include "base/logger.hpp"
#include "base/context.hpp" #include "base/context.hpp"
#include "base/convert.hpp"
#include "base/utility.hpp" #include "base/utility.hpp"
#include "base/application.hpp" #include "base/application.hpp"
#include "base/exception.hpp" #include "base/exception.hpp"
#include <boost/asio/ssl/context.hpp> #include <boost/asio/ssl/context.hpp>
#include <openssl/opensslv.h>
#include <openssl/crypto.h>
#include <fstream> #include <fstream>
namespace icinga namespace icinga
{ {
static bool l_SSLInitialized = false; static bool l_SSLInitialized = false;
static boost::mutex *l_Mutexes; static boost::mutex *l_Mutexes;
static boost::mutex l_RandomMutex; static boost::mutex l_RandomMutex;
String GetOpenSSLVersion()
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
return OpenSSL_version(OPENSSL_VERSION);
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
return SSLeay_version(SSLEAY_VERSION);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
}
#ifdef CRYPTO_LOCK #ifdef CRYPTO_LOCK
static void OpenSSLLockingCallback(int mode, int type, const char *, int) static void OpenSSLLockingCallback(int mode, int type, const char *, int)
{ {
if (mode & CRYPTO_LOCK) if (mode & CRYPTO_LOCK)
l_Mutexes[type].lock(); l_Mutexes[type].lock();
else else
l_Mutexes[type].unlock(); l_Mutexes[type].unlock();
} }
static unsigned long OpenSSLIDCallback() static unsigned long OpenSSLIDCallback()
skipping to change at line 61 skipping to change at line 73
#ifdef CRYPTO_LOCK #ifdef CRYPTO_LOCK
l_Mutexes = new boost::mutex[CRYPTO_num_locks()]; l_Mutexes = new boost::mutex[CRYPTO_num_locks()];
CRYPTO_set_locking_callback(&OpenSSLLockingCallback); CRYPTO_set_locking_callback(&OpenSSLLockingCallback);
CRYPTO_set_id_callback(&OpenSSLIDCallback); CRYPTO_set_id_callback(&OpenSSLIDCallback);
#endif /* CRYPTO_LOCK */ #endif /* CRYPTO_LOCK */
l_SSLInitialized = true; l_SSLInitialized = true;
} }
static void SetupSslContext(const std::shared_ptr<boost::asio::ssl::context>& co ntext, const String& pubkey, const String& privkey, const String& cakey) static void SetupSslContext(const Shared<boost::asio::ssl::context>::Ptr& contex t, const String& pubkey, const String& privkey, const String& cakey)
{ {
char errbuf[256]; char errbuf[256];
// Enforce TLS v1.2 as minimum // Enforce TLS v1.2 as minimum
context->set_options( context->set_options(
boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::default_workarounds |
boost::asio::ssl::context::no_compression | boost::asio::ssl::context::no_compression |
boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::no_sslv2 |
boost::asio::ssl::context::no_sslv3 | boost::asio::ssl::context::no_sslv3 |
boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1 |
skipping to change at line 159 skipping to change at line 171
} }
/** /**
* Initializes an SSL context using the specified certificates. * Initializes an SSL context using the specified certificates.
* *
* @param pubkey The public key. * @param pubkey The public key.
* @param privkey The matching private key. * @param privkey The matching private key.
* @param cakey CA certificate chain file. * @param cakey CA certificate chain file.
* @returns An SSL context. * @returns An SSL context.
*/ */
std::shared_ptr<boost::asio::ssl::context> MakeAsioSslContext(const String& pubk ey, const String& privkey, const String& cakey) Shared<boost::asio::ssl::context>::Ptr MakeAsioSslContext(const String& pubkey, const String& privkey, const String& cakey)
{ {
namespace ssl = boost::asio::ssl; namespace ssl = boost::asio::ssl;
InitializeOpenSSL(); InitializeOpenSSL();
auto context (std::make_shared<ssl::context>(ssl::context::tlsv12)); auto context (Shared<ssl::context>::Make(ssl::context::tlsv12));
SetupSslContext(context, pubkey, privkey, cakey); SetupSslContext(context, pubkey, privkey, cakey);
return context; return context;
} }
/** /**
* Set the cipher list to the specified SSL context. * Set the cipher list to the specified SSL context.
* @param context The ssl context. * @param context The ssl context.
* @param cipherList The ciper list. * @param cipherList The ciper list.
**/ **/
void SetCipherListToSSLContext(const std::shared_ptr<boost::asio::ssl::context>& context, const String& cipherList) void SetCipherListToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& con text, const String& cipherList)
{ {
char errbuf[256]; char errbuf[256];
if (SSL_CTX_set_cipher_list(context->native_handle(), cipherList.CStr()) == 0) { if (SSL_CTX_set_cipher_list(context->native_handle(), cipherList.CStr()) == 0) {
Log(LogCritical, "SSL") Log(LogCritical, "SSL")
<< "Cipher list '" << "Cipher list '"
<< cipherList << cipherList
<< "' does not specify any usable ciphers: " << "' does not specify any usable ciphers: "
<< ERR_peek_error() << ", \"" << ERR_peek_error() << ", \""
<< ERR_error_string(ERR_peek_error(), errbuf) << "\""; << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
skipping to change at line 218 skipping to change at line 230
<< "Available TLS cipher list: " << cipherNames->Join(" "); << "Available TLS cipher list: " << cipherNames->Join(" ");
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
} }
/** /**
* Set the minimum TLS protocol version to the specified SSL context. * Set the minimum TLS protocol version to the specified SSL context.
* *
* @param context The ssl context. * @param context The ssl context.
* @param tlsProtocolmin The minimum TLS protocol version. * @param tlsProtocolmin The minimum TLS protocol version.
*/ */
void SetTlsProtocolminToSSLContext(const std::shared_ptr<boost::asio::ssl::conte xt>& context, const String& tlsProtocolmin) void SetTlsProtocolminToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, const String& tlsProtocolmin)
{ {
// tlsProtocolmin has no effect since we enforce TLS 1.2 since 2.11. // tlsProtocolmin has no effect since we enforce TLS 1.2 since 2.11.
/* /*
std::shared_ptr<SSL_CTX> sslContext = std::shared_ptr<SSL_CTX>(context->n ative_handle()); std::shared_ptr<SSL_CTX> sslContext = std::shared_ptr<SSL_CTX>(context->n ative_handle());
long flags = SSL_CTX_get_options(sslContext.get()); long flags = SSL_CTX_get_options(sslContext.get());
flags |= ...; flags |= ...;
SSL_CTX_set_options(sslContext.get(), flags); SSL_CTX_set_options(sslContext.get(), flags);
*/ */
} }
/** /**
* Loads a CRL and appends its certificates to the specified SSL context. * Loads a CRL and appends its certificates to the specified SSL context.
* *
* @param context The SSL context. * @param context The SSL context.
* @param crlPath The path to the CRL file. * @param crlPath The path to the CRL file.
*/ */
void AddCRLToSSLContext(const std::shared_ptr<boost::asio::ssl::context>& contex t, const String& crlPath) void AddCRLToSSLContext(const Shared<boost::asio::ssl::context>::Ptr& context, c onst String& crlPath)
{ {
char errbuf[256]; char errbuf[256];
X509_STORE *x509_store = SSL_CTX_get_cert_store(context->native_handle()) ; X509_STORE *x509_store = SSL_CTX_get_cert_store(context->native_handle()) ;
X509_LOOKUP *lookup; X509_LOOKUP *lookup;
lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file()); lookup = X509_STORE_add_lookup(x509_store, X509_LOOKUP_file());
if (!lookup) { if (!lookup) {
Log(LogCritical, "SSL") Log(LogCritical, "SSL")
<< "Error adding X509 store lookup: " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\""; << "Error adding X509 store lookup: " << ERR_peek_error() << ", \"" << ERR_error_string(ERR_peek_error(), errbuf) << "\"";
skipping to change at line 809 skipping to change at line 821
X509_STORE_add_cert(store, caCertificate.get()); X509_STORE_add_cert(store, caCertificate.get());
X509_STORE_CTX *csc = X509_STORE_CTX_new(); X509_STORE_CTX *csc = X509_STORE_CTX_new();
X509_STORE_CTX_init(csc, store, certificate.get(), nullptr); X509_STORE_CTX_init(csc, store, certificate.get(), nullptr);
int rc = X509_verify_cert(csc); int rc = X509_verify_cert(csc);
X509_STORE_CTX_free(csc); X509_STORE_CTX_free(csc);
X509_STORE_free(store); X509_STORE_free(store);
if (rc == 0) {
int err = X509_STORE_CTX_get_error(csc);
BOOST_THROW_EXCEPTION(openssl_error()
<< boost::errinfo_api_function("X509_verify_cert")
<< errinfo_openssl_error(err));
}
return rc == 1; return rc == 1;
} }
bool IsCa(const std::shared_ptr<X509>& cacert)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/* OpenSSL 1.1.x provides https://www.openssl.org/docs/man1.1.0/man3/X509
_check_ca.html
*
* 0 if it is not CA certificate,
* 1 if it is proper X509v3 CA certificate with basicConstraints extensio
n CA:TRUE,
* 3 if it is self-signed X509 v1 certificate
* 4 if it is certificate with keyUsage extension with bit keyCertSign se
t, but without basicConstraints,
* 5 if it has outdated Netscape Certificate Type extension telling that
it is CA certificate.
*/
return (X509_check_ca(cacert.get()) == 1);
#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
BOOST_THROW_EXCEPTION(std::invalid_argument("Not supported on this platfo
rm, OpenSSL version too old."));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
}
int GetCertificateVersion(const std::shared_ptr<X509>& cert)
{
return X509_get_version(cert.get()) + 1;
}
String GetSignatureAlgorithm(const std::shared_ptr<X509>& cert)
{
int alg;
int sign_alg;
X509_PUBKEY *key;
X509_ALGOR *algor;
key = X509_get_X509_PUBKEY(cert.get());
X509_PUBKEY_get0_param(nullptr, nullptr, 0, &algor, key); //TODO: Error h
andling
alg = OBJ_obj2nid (algor->algorithm);
#if OPENSSL_VERSION_NUMBER < 0x10100000L
sign_alg = OBJ_obj2nid((cert.get())->sig_alg->algorithm);
#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
sign_alg = X509_get_signature_nid(cert.get());
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
return Convert::ToString((sign_alg == NID_undef) ? "Unknown" : OBJ_nid2ln
(sign_alg));
}
Array::Ptr GetSubjectAltNames(const std::shared_ptr<X509>& cert)
{
GENERAL_NAMES* subjectAltNames = (GENERAL_NAMES*)X509_get_ext_d2i(cert.ge
t(), NID_subject_alt_name, nullptr, nullptr);
Array::Ptr sans = new Array();
for (int i = 0; i < sk_GENERAL_NAME_num(subjectAltNames); i++) {
GENERAL_NAME* gen = sk_GENERAL_NAME_value(subjectAltNames, i);
if (gen->type == GEN_URI || gen->type == GEN_DNS || gen->type ==
GEN_EMAIL) {
ASN1_IA5STRING *asn1_str = gen->d.uniformResourceIdentifi
er;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
String san = Convert::ToString(ASN1_STRING_data(asn1_str)
);
#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
String san = Convert::ToString(ASN1_STRING_get0_data(asn1
_str));
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
sans->Add(san);
}
}
GENERAL_NAMES_free(subjectAltNames);
return sans;
}
std::string to_string(const errinfo_openssl_error& e) std::string to_string(const errinfo_openssl_error& e)
{ {
std::ostringstream tmp; std::ostringstream tmp;
int code = e.value(); int code = e.value();
char errbuf[120]; char errbuf[120];
const char *message = ERR_error_string(code, errbuf); const char *message = ERR_error_string(code, errbuf);
if (!message) if (!message)
message = "Unknown error."; message = "Unknown error.";
 End of changes. 11 change blocks. 
6 lines changed or deleted 108 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)